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INTRODUCTION (U) 

(U) In their quest to benefit from the great advantages of networked computer 
systems, the U.S. military and intelligence communities have put almost all of their 
classified information "eggs" into one very precarious basket: computer system 
administrators. A relatively small number of system administrators are able to read, 
copy, move, alter, and destroy almost every piece of classified information handled by a 
given agency or organization. An insider-gone-bad with enough hacking skills to gain root 
privileges might acquire similar capabilities. It seems amazing that so few are allowed to 
control so much - apparently with little or no supervision or security audits. The system 
administrators might audit users, but who audits them? Even if higher level auditing of 
system administrators takes place, it is unlikely that Buch audits are frequent enough or 
extensive enough to be effective, especially against experts who probably know their 
systems better than their auditors. 

T!S UfHJ*hi3 is not meant as an attack on the integrity of system administrators as a 
whole, nor is it an attempt to blame anyone for this gaping vulnerability, ft is, rather, a 
warning that system administrators are likely to be targeted - increasingly targeted - by 
foreign intelligence services because of their special access to information. This is 
especially true for the system administrators of classified networks. Historical evidence of 
foreign intelligence targeting of U.S. communicators - people who had special access to 
cryptographic material - strongly supports this assertion. 

(U) This situation also raises a concern about individual accountability for classified 
information. In short, individual users have lost control over access to electronic versions 

I 

of their classified files. If the next Aldrich Ames turns out to be a system administrator 
who steals and sells classified reports stored on-line by analysts or other users, will the 
users be liable in any way?' Clearly, steps must be taken to counter the threat to system 
administrators and to ensure individual accountability for classified information that is 
created, processed, or stored electronically. 



COMMUNICATORS HAVE BEEN HEAVILY TARGETED 
FOR THEIR ACCESS TO KEYTSWOi. 

i 

tS"t#QlJDuring the Coldj War, untold numbers of people were recruited by Soviet Bloc 
intelligence services to spy against the U.S. and the West, but among the most prized 
agents were U.S. communicators or others who could supply cryptographic material and 
related information. Between 1946 and 1986, at least seventeen U.S. government 
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personnel were known to compromise U.S. cryptographic systems on behalf of foreign 
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SYSTEM ADMINISTRATORS ARE POTENTIALLY MORE LUCRATIVE 
HUMINt TARGETS THAN COMMUNICATORS CHIQ1 

~n Iini Willi system administrators, though, the situation is potentially much worse 
than it has ever been with communicat ors. In part, this is because the system 
administrators can so easily, so auickiv J I steal vast quantities of 

information. Communicators of the past usually sent only relatively short messages and 
"finished” documents, but today’s system administrators can obtain full-length copies of 
entire reports, including draft versions, as well as informal e-mail messages, electronic 
calendar appointments, and a wide variety of other data. 




COMPUTER PERSONNEL (S UO) 

(0 UO) It is their tremendous access to classified information and their control of 
classified computer systems that make system administrators prime targets for foreign 
intelligence recruitment. | 



It Is their tremendous access to classified information and control of 
classified computer systems that makes system administrators prime 
targets for foreign intelligence recruUmentrVSHIQ^ 
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tIO UU^The KGB’s handling of the German Hanover Hackers was one of its earlier 
efforts in the computer hacking arena and was made famous in Cliff Stoll’s book The 
Cuckoo's Egg. The hackers provided passwords, logon account identifications, source code 
and other information for unclassified U.S. government computer systems. The KGB, 
however, considered the case a disaster because the hackers were unreliable and ended up 
exposing the whole operation. For the KGB, it was a learning experience, and by 1991 
they were using the case as an example of. how not to run an operation. The implication is 
that their Russian successor organization, the Russian Foreign Intelligence Service (SVR), 
is now more likely to target insider computer personnel rather than hackers. Of course, 
this does not prevent them from accepting "walk-in" volunteers or using their own 
intelligence personnel to "hack” into systems directly. 



• • . just as unbreakable U.S. cryptography has pushed foreign 
intelligence services to target the people who control the key, so too 
will stronger network security spur increased targeting of the people 
who control the computers. 




increase in general computer exploitation efforts suggests, however, that it is only a 
matter of time before successful computer personnel recruitments are discovered. 



This warning about the HUMINT vulnerability is in no way meant to downplay 
the need for stringent technical security solutions, but just as unbreakable U.S. 
cryptography has pushed foreign intelligence services to target the people who control the 
key, so too will stronger network security spur increased targeting of the people who 
control the computers. 
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THE NEED FOR MORE INDIVIDUAL ACCOUNTABILITY (U) 



(U) This threat highlights the need to control classified electronic files, but, as most 
users of classified client-server networks already know, individuals have far less control 
over their own classified electronic files than they have over their hard copy documents. In 
short, people are doing things with electronic copies of classified information that would 
never be allowed with paper. For example, if a file is sent to the printer and does not print r 

out, it is assumed to be a "glitch" - not a "lost" copy of a classified report. 

{TOtJOl In one incident at NSA, highly classified material printed out after hours on 
the wrong printer in the wrong room and was turned in by the cleaning crew! In another 
incident at NSA, a large number of files sent to a printer at different times hy different 
personnel in one office mysteriously ended up in the queue of another office’s printer. The . 
files were presumed "lost” as a result of some unknown glitch and were not recovered until ; 
the user of the Other office’s printer came back from TD Y and turned the winter on. This 
was not a simple case of usingthe wrong printer name j 

| There have also been many other incidents in which files sent to 
printers never print out or print out months after being sent. 

QS UQj Such problems, however, are not always accidental. In 1994, for example, a 
contractor employee at a Regional Sigint Operations Center (RSOC) was caught accessing 
restricted files on a classified system. In another incident at the same RSOC, three 



From an individual’s standpoint . . . access to electronic versions of 
classified documents is out of control. 
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(U) These mysterious glitches and insider abuses demonstrate how difficult it cah be to 
control electronic files. With hard copy, classified files are locked away in safes or desk 
drawers or cabinets when no-one is around to keep an eye on them. Even when they are 
open during the day, access to any particular room is limited to only certain people. Does 
this mean t hat all individuals have perfect control over their hard copy documents? Of 
course not. I 



[ Nevertheless, access to classified hard 
copy is, in general, still controlled by the people who are responsible for it. 

i 

'^SlJFVorn an individual’s standpoint, however, access to electronic versions of classified 
documents is out of control, intelligence personnel can no longer lock the draft versions of 
their Top Secret SCI reports in their safes at night and go home feeling reasonably secure. 
Instead, those reports and almost everything else they have done is out of their control, 
stored electronically on some server in some other room or even in another building. Now 
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when they go home at night, some of them are undoubtedly plagued by questions that all 
intelligence personnel should ask themselves: 

Exactly how many copies of my computer files exist at any given time 
(including back-up files and tapes)? 

Where are those copies physically located? 

How many people other than me have legitimate access to my computer files, 
who are they, and do they have the proper clearance and the need to know? 

How many people have illegitimate access to my files, either through 
malicious actions or unintentional error? 

When 1 send a file to the printer or over e-mail and it doesn’t make it, is the 
information originally sent destroyed? Stored in a buffer? Printing out on 
some unknown printer in another office? Or has it been captured by an insider 
hacker? 

If the next Aldrich Ames turns out to be an NSA system administrator, and he 
steals and sells copies of my classified computer files, will I be liable in any 
way? 

(U) These are troubling questions because, even though the vast majority of 
intelligence personnel are not system administrators, they are still legally, professionally, 
and morally responsible for the classified information that they produce, handle, or store. 
Users of classified systems must, therefore, be given greater control - individually - over 
the electronic versions of their notes, reports, and other documents. The information at 
risk includes 1 

widely disseminated classified and sensitive-but-unclassified documents; 

highly compartmented information with very strict need to know; 

information protected by the privacy act, such as personnel files, medical 
records, and security files; 

other highly sensitive information, such as Inspector General investigations 
and security investigations for counterintelligence or law enforcement 
matters. | 

■ i 

CONCLUSIONS AND RECOMMENDATIONS (U) 

I 

?SiLThe growing threat to system administrators heightens the need for accountability 
for classified electronic information, but there is no one easy answer to this problem. Most 
users enjoy and appreciate new technology and all of the associated benefits, from e-mail to 
bulletin boards to Web browsers to cost-saving shared resources. It is unlikely that anyone 
wants to return to the pre-client-server era, even if it were possible to do so. Still the 
military and intelligence communities must do something if they are to reestablish 
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individual employees* control over the information for which they are personally 
responsible. Possible actions include the following: 

r -rT". lini rnlrnrnfr counterintelligence scrutiny of system administrators. This is 



(TJ) Allow physical separations from networks. Allow each workstation to 
function as both a stand-alone and a network terminal, with a physical 
disconnect from the LAN or other network. People who need to work on highly 
sensitive matters could thus do so with less anxiety about network attacks by 
physically disconnecting from their LAN. To be effective, this would require 
the more expensive installation of word processing or other applications on 
each workstation - rather than as a shared network resource using "licenses'* - 
but it would also allow people to be productive during network down time. Of 
course, connecting to the network to send e-mail or surf the Web would have to 
be a relatively quick and easy procedure - such as plugging in a cable and then 
clicking on an icon. 

OTTJ 0 lik Provide encryptable hard drives. Analysts and managers should be 
able to store information on their own workstations’ individual hard drives in 
an encrypted form that cannot be decrypted by anyone else, including system 
administrators. Yes, some people will forget a password or something and end 
up losing an important file, but that is the price of individual responsibility. 
Those analysts who do highly compartmented or otherwise sensitive work 
should be provided with removable hard drives that can be encrypted and 
stored in a three-combo safe. It would be preferable if, in the future, all hard 
drives could be removed for storage in a safe to prevent theft or damage from 
fire or other disasters. But then exit inspections would have to be reinstituted 
to help prevent people from carrying the drives out. An alternative would be to 
install sensors at each exit and tag each drive with a trigger mechanism, 
similar to the technology used by stores to combat shoplifting. 

TPOW01.G ive MS and other security organizations more money. It is unwise to 
cut security budgets now, and it’s not only because of the threat of a specially 
equipped Ryder rental 1 van taking out half of the FANX III building. Overall, 
employee susceptibility to foreign intelligence recruitment has probably 
increased in this era of unprecedented budget cuts and the accompanying low 
morale. In the long-term, security acts as a force-multiplier because it limits 
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otherwise exponential losses caused by spies, and good budget planners know 
that force multipliers should not be cut at the same rate as regular forces 
during downsizing. 

These proposed measures would be expensive, but they are necessary given the 
growing foreign HUMINT threat to system administrators. Yes, it is less expensive and far 
more convenient to store everything on servers, but just because it can be done does not 
mean that it should be done. If individual computer users are going to be held accountable 
for the classified information that each personally handles, then they must have more 
control over how and where their information is stored and who has access to it. 
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